Too bad the spec is stupid and requires password managers to be identifiable so servers can deny the "insecure ones".
It's already a pain to use Keepassxc for otp since they all want you to use their apps but it's still doable (the worst offender being steam where you have to hack your own app to extract the otp secret). With passkeys you won't have a choice to use The Google AuthenticatorTM etc because eventually some exec will find they can block every provider except their own to boost app download KPI.
I really like concept of passkeys, the simple fact of using asymmetric keys is so much better than giving the secret to prove you have it, but the spec is hostile and thought for vendor closing.
No, the spec is for companies that need to enforce higher levels of security so that you can e.g. only enable Yubikeys in your env.
I hate big tech just like anybody else but this is just spreading FUD right now.
Also execs can already enforce their apps only - banking apps for approving transactions are already a thing at least in europe, no fido passkey needed.
But didn't the author hint that this could get blocked?
My general read on passkeys and their implementers is that exportability is seen as a risky feature, and there's a push to make it as opaque as possible, likely through attestation or similar mechanisms.
Too bad the spec is stupid and requires password managers to be identifiable so servers can deny the "insecure ones". It's already a pain to use Keepassxc for otp since they all want you to use their apps but it's still doable (the worst offender being steam where you have to hack your own app to extract the otp secret). With passkeys you won't have a choice to use The Google AuthenticatorTM etc because eventually some exec will find they can block every provider except their own to boost app download KPI. I really like concept of passkeys, the simple fact of using asymmetric keys is so much better than giving the secret to prove you have it, but the spec is hostile and thought for vendor closing.
IIRC KeepassXC can just identify as Apple Passkeys and it will work fine.
No, the spec is for companies that need to enforce higher levels of security so that you can e.g. only enable Yubikeys in your env. I hate big tech just like anybody else but this is just spreading FUD right now.
Also execs can already enforce their apps only - banking apps for approving transactions are already a thing at least in europe, no fido passkey needed.
> exportable passkeys
But didn't the author hint that this could get blocked?
My general read on passkeys and their implementers is that exportability is seen as a risky feature, and there's a push to make it as opaque as possible, likely through attestation or similar mechanisms.
[1]: https://github.com/keepassxreboot/keepassxc/issues/10407